[midPoint] Question about group membership management in midpoint

Sven Feyerabend Sven.Feyerabend at stuvus.uni-stuttgart.de
Fri Sep 1 18:28:55 CEST 2023 

Hello David,


groups in a LDAP directory usually are projections of midPoint roles.
For a more detailed explaination of the finer points see this blog post:
https://evolveum.com/simplifying-ldap-group-management-using-midpoint/


Usually you have some meta-role(s) that define the nature of the desired 
projections, then you can manage membership to those groups via role 
membership in midPoint. The metarole is assigned to all roles that 
should be present in your directory and defines the properties of the 
assignment to the resource.


I noticed, that you have a directory with gosa schema, as I am currently 
in the process of migrating from gosa to a midPoint based system here 
another hint:
To preserve the delegated administration provided by gosa, I used orgs 
to model subtrees and some RBAC configuration with roles to allow 
delegated administration. This is achieved by using the subjectRelation 
mechanism in the object definition of an authorization for a role.


I hope this pointer helps.


Kind regards,

Sven


Am 01.09.23 um 17:45 schrieb David Coutadeur via midPoint:
>
>
> Hello,
>
>
> Thanks Arnošt for your help.
>
>
> Actually, I am not sure the metarole is what I want, and did not find 
> any tip in the documentation. (I have been searching for associations, 
> inducements, assignments,...)
>
>
> The documentation states that group membership defined by an 
> association like:
>
>
>             <association>
>                 <ref>ri:ldapGroup</ref>
>                 <displayName>Appartenance aux groupes</displayName>
>                 <kind>entitlement</kind>
>                 <intent>ldapGroup</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
>             </association>
>
>
>
> is only visible in projections.
>
> It is not very convenient to view these groups in the midpoint 
> interface. And anyway it doesn't seem possible to manage group 
> membership there.
>
>
> My use case is quite simple: I'd like to have objects in the midpoint 
> interface that represents my LDAP groups, and to be able to manage 
> them. (including their membership)
>
>
> LDAP user 1 <-> midpoint shadow account <-> midpoint user
>
> ^ ^
>
> | |
>
> v v
>
> LDAP group 1 <-> midpoint shadow group <-> midpoint object (role?)
>
>
>
> Does anyone have an idea how to achieve this? Maybe role is not the 
> correct object?
>
>
> Regards,
>
>
>
>
> Le 29/08/2023 à 13:47, Arnošt Starosta a écrit :
>> Hi David,
>>
>> regarding ldap group membership  - you may be missing the necessary 
>> association configuration typically found in a metarole, please check 
>> the docs or even better some examples in the sources like this one
>>
>> https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31
>>
>> arnost
>>
>> Arnošt Starosta
>> solution architect
>>
>> gsm: [+420] 603 794 932
>> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>>
>>
>> AMI Praha a.s.
>> Pernerova 697/35, 186 00 Praha 8
>>
>> recepce: [+420] 604 444 848 | web: www.ami.cz <https://www.ami.cz/>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>> za společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>> výhradně písemnou formu.
>>
>> Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může 
>> obsahovat důvěrné nebo osobní
>> informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv 
>> zveřejňování, zprostředkování
>> nebo jiné použití těchto informací. Pokud jste obdrželi e-mail 
>> neoprávněně, informujte o tom prosím
>> odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně 
>> všech jeho příloh. Nakládáním
>> s neoprávněně získanými informacemi se vystavujete riziku právního 
>> postihu.
>> ------------------------------------------------------------------------
>> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
>> David Coutadeur via midPoint <midpoint at lists.evolveum.com>
>> *Sent:* Monday, August 28, 2023 4:13 PM
>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>> *Cc:* David Coutadeur <david.coutadeur at gmail.com>
>> *Subject:* [midPoint] Question about group membership management in 
>> midpoint
>>
>> Hello,
>>
>> I am working on an Openldap integration with midpoint.
>>
>> It starts working, but I have two questions:
>>
>>
>> 1/ I have imported OpenLDAP groups into midpoint roles. But I can't
>> figure out how to manage role membership. I'd like to be able to
>> read/write role members in midpoint so that they keep synchronized in 
>> LDAP.
>>
>> You can see my openldap-resource definition attached.
>>
>> Please notice that LDAP group membership is already visible in midpoint
>> users. If I look at account shadows, I can observe shadow group
>> membership. But I can't manage the membership from here.
>>
>> Does anyone know how to do this? Is there a better approach for managing
>> group membership in midpoint?
>>
>>
>>
>> 2/ some LDAP users are not imported in midpoint when their names are too
>> close to existing users. For example when their name contain a dash.
>>
>> I have understood that this is due to the comparison rule based on
>> PolyString type. I have tried multiple rules:
>>
>> <q:path>name</q:path>
>> <q:matching>polyStringOrig</q:matching>
>>
>> but I can't find any one that compares directly the strings, without
>> normalization. Do you know what I have missed?
>>
>>
>> Also, the openldap-resource I am working on is more complete that those
>> in the docs. Would you be interrested to include it? Do you accept
>> contributions?
>>
>>
>> Thanks in advance for your help!
>>
>> Regards,
>>
>> -- 
>> David Coutadeur | IAM integrator
>>
>> david.coutadeur at worteks.com
>> +33 7 88 46 85 34
>> 16 avenue Hoche, Paris 75008
>>
>> Worteks | https://www.worteks.com
> -- 
> David Coutadeur | IAM integrator
>
> david.coutadeur at worteks.com
> +33 7 88 46 85 34
> 16 avenue Hoche, Paris 75008
>
> Worteks |https://www.worteks.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Sven Feyerabend
Referent für IT-Betreuung
stuvus – Studierendenvertretung Universität Stuttgart
Pfaffenwaldring 5c
70569 Stuttgart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230901/4f2c0ff3/attachment-0001.htm>

More information about the midPoint mailing list